ey staying relevant the evolving role of internal audit in ireland
TRANSCRIPT
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
1/32
Staying relevantThe evolving role of Internal Audit in Ireland
January 2014
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
2/32
Trinity College, Dublin (Cover: Salmon Weir Bridge, Mayo)
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
3/32
1EY
Executive summary ..............................................................................................................................................................2
Study insights: an overview ..................................................................................................................................................4
Align Internal Audit to the organisation’s strategic goals ...................................................................................................8
Drive Internal Audit efciency ............................................................................................................................................12
Maintain a balance between assurance and advisory ...........................................................................................................18
Run Internal Audit more like a business ...............................................................................................................................22
Internal Audit: Where do we go from here? ...........................................................................................................................26
Want to learn more? ............................................................................................................................................................27
Contents
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
4/32
2 EY
One of the key questions, explored with Irish participants in
the study was how Internal Audit could be improved and how
it can make an even greater contribution to the organisation.
In analysing the results of this question, four key improvement
priorities emerged:
1) Align Internal Audit with the strategic goals of the
organisation.
2) Drive efciency through integration, talent management
and use of data analytics.
3) Maintain a balance between assurance and advisory
reviews.
4) Run Internal Audit like a business.
Align Internal Audit with the strategic goals ofthe organisation
Interestingly, 56% of Irish participants said that their Internal
Audit function did not have a documented mandate that is
aligned to the business objectives, which correlates (61%) with
the international results.
Our view on this is that you would not expect a CFO or CIO in a
company today to not have a strategy or vision for the future
that was not clearly aligned with the overall business strategy –
so why should a head of Internal Audit be any different?
It is somewhat worrying that many Internal Audit functions in
Ireland do not have a formal Internal Audit specic strategy
that is aligned to the business and addresses the key elements
that will improve the functions’ performance and value. A
good strategy should include clear goals and key performance
indicators (KPIs) relating to people (e.g., developing people
and skills, hiring new talent) process (e.g., improving audit
techniques, data analytics, continuous controls monitoring)
and new technology requirements (e.g., procuring new
Governance, Risk & Control (GRC) tools and enablers to drive
efciency).
Executive Summary
By Liam McCaul, Advisory Services Leader, EY Ireland
The evolution of Internal Audit– are Irish companies keepingpace?
In a fast-changing business environment,
an organisation’s Internal Audit function
must adapt and evolve in order to stay
relevant to key stakeholders. In recent
years there have been major changes
in the board and management’s expectations of Internal Audit
and they are demanding more from the function. There is no
doubt that the range and nature of Internal Audit activity being
performed within organisations has changed with increased
demand for far more advisory support on strategic initiatives
and a drive for broader and deeper Internal Audit coverage
using more efcient Internal Audit techniques.
Our overarching message to Irish companies is that Internal
Audit, like any other function, needs to be aligned with the
strategic goals of the organisation. Senior executives in Ireland
continue to be under pressure to maximise value from all areas
of the business. Compliance, risk management and assurance
functions should be treated no different to any other part of
the business in this regard.
This is a central nding of our study Staying Relevant – The
evolving role of Internal Audit in Ireland (which places the
ndings of an EY Global survey solidly into an Irish context).
The good news from our study is that 93% of Irish Heads of
Internal Audit participants rated their Internal Audit function
as somewhat effective or very effective. Despite this, Heads of
Internal Audit in Ireland are very aware of the need to improve
their contribution to the business and are anxious to raise
standards even higher.
Over three quarters of Irish participants see a need to improve
their Internal Audit function, a gure that is comparable to theglobal nding.
The difference lies in the sense of urgency, 57% of Irish
participants believe improvements to the Internal Audit
function should take place over the next twelve months, more
than twice the comparable global gure which lies at 28%. This
nding shows that Irish organisations are aware of the need to
improve the value their Internal Audit functions deliver today
and are acting on it.
*EY Global Internal Audit Survey 2013
- Available from
www.ey.com/internalaudit
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
5/32
3EY
Drive efciency through integration, talentmanagement and use of data analytics
Internal audit efciency is seen as key to deriving the bestvalue from the limited resources available. In our study, all
participants displayed a desire for further integration of their
Internal Audit function with other risk and assurance functions.
Data analytics also emerged as a key driver for efciency and
effectiveness in Internal Audit globally. The lack of suitably
skilled resources continues to be a seen as a constraint in the
adoption of data analytics tools and methodologies, however,
our experience is that data analytics can be adopted by existing
Internal Audit staff where there is a will to invest and persevere
with a data analytics strategy.
It is also important that Internal Audit understands the skills ithas, the skills it needs and where there are gaps in competency
areas. Having access to capable and skilled people whether in-
house or from external providers is the key to establishing an
Internal Audit structure that is t for purpose and has a solid
foundation on which to deliver value – no audit methodology or
tool can replace this basic requirement.
Maintain the balance between assurance andadvisory reviews
We are increasingly seeing audit plans in Ireland being
rebalanced to show a mix of advisory and assurance
reviews, thematic audits and issue based audits. 86% of Irishparticipants reported that advisory reviews made up some
of their Internal Audit plan with 65% of organisations having
advisory/consulting type reviews accounting for 5%-25% of
their Internal Audit plan.
We are seeing Internal Audit in Ireland playing a much more
prominent role in strategic initiatives such as IT System
Implementations (72%), Major Capital Projects (53%) and
Material Contracts (37%). This nding is consistent with our
global results and shows many Irish participants are at the coal
face providing assurance and advice on important business
issues. Thematic and issues based reviews are also making a
resurgence and these reviews can be a great way for Internal
Audit to provide business insights and value on broader
business topics.
Our advice is that even where the Internal Audit function has
the skills to be ‘more advisory’ always remember that you need
to remain objective and independent in giving your advice.
It comes back to Internal Audit, understanding its mandatewith key stakeholders. Each organisation is unique, if there
is a demand for providing more advisory reviews Internal
Audit should be ready to adapt and be exible to support
this demand in order to stay relevant (while continuing to
provide the non-negotiable control and compliance monitoring
activities).
Run Internal Audit like a business
An Internal audit function needs to operate like any other
function of the business, holding itself accountable for
operational excellence, cost containment, continuous
improvement and tracking its value and impact on thebusiness. To achieve this, activities should include: designing a
value charter and scorecard; determining an optimal operating
structure; and evaluating success and monitoring KPIs.
Developing a value charter enables Internal Audit to effectively
measure the value it delivers to the organisation and should
become the norm in the future here in Ireland.
In conclusion
While some Irish Internal Audit leaders appear to be keeping
pace and are responding to the changes we are seeing in
Internal Audit, for others there is word of caution – invest now
in getting to know your stakeholders and what they expect
from you as a function and how they perceive value. In order to
demonstrate value Internal Audit leaders need to align to key
strategic goals and manage the function like a business, driving
efciency with a clear focus on delivering value. If Internal
Audit leaders in Ireland can do this then they will stay relevant
to the organisation – otherwise the business will leave them
behind.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
6/32
4 EY
Study insights
93% of Irish participants rated their Internal Audit function as somewhateffective or very effective93%
57% of Irish participants believe improvementsto the Internal Audit function should take placeover the next twelve months, more than twicethe comparable global gure which lies at 28%
57%
56% of Irish participants said that their Internal Audit function did not
have a documented mandate that is aligned to the business objectives
63% of Irish participants are performing morefraud related reviews since the recession hit
56%
86% of Irish participants reported that advisory reviews made up someof their Internal Audit plan with 65% of organisations having advisorytype reviews accounting for 5%-25% of their Internal Audit plan86%
77% of Irish participants aspire for stronger
integration of Internal Audit and EnterpriseRisk Management (ERM)77%River Liffey, Dublin
63%
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
7/32
5EY
Q:How pressing is your need to improve your Internal
Audit function?
7%
57%
15%
4%
17%
We need to make
improvements within
the next 12 months
We need to make
improvements within the
next 12 to 24 months
We need to make
improvements, but not
within the next 24 months
We do not need to make
any improvements at
this time
Don’t know
Introduction
The role of Internal Audit has evolved over the last number of
years to a position where many organisations see the function
as a strategic advisor to the business. Partly, due to economic
pressures, there is now more focus on the value and relevance
of Internal Audit to business goals and objectives.
In Ireland, a gap existed in the understanding of the evolution
of the Internal Audit function relative to the global picture.To address this, EY conducted a study involving over 45
Heads of Internal Audit (HOIA) including, industry leaders,
manufacturing giants and public service providers based in
Ireland. The aim of this study was to gain an understanding
locally, of where Internal Audit was moving, how it was
structured, what was expected of it and how investment in it
was standing up to recessionary pressures.
The ndings of our study draw comparison to EY’s Global
Internal Audit Survey which was conducted across 26
individual sectors in 2012.
Internal Audit effectiveness
The majority of Irish organisations saw their Internal Audit
function as being effective – but at the same time more than
57% want to make improvements to their Internal Audit
function in the next 12 months compared to 28% globally.
We were also interested to ask Irish organisations about
the impact of the recession on Internal Audit. Internal Audit
activity has increased during the recession as margins becometighter and the cost of failure correspondingly higher, leading
to heightened attention to, and investment in, key Internal
Audit areas - 63% of the participants were doing more in the
area of fraud, 49% in IT system reviews, 44% in data leakage
reviews and 42% in business continuity/crisis management
reviews.
Fraud related reviews
63% 7%30%
Active risk reviews
40% 51% 9%
Business continuity/crisis management reviews
42% 2% 49% 7%
IT system reviews/monitoring
49% 9% 37% 5%
Data leakage reviews/monitoring
44% 2% 42% 12%
Financial transactions reviews/monitoring
35% 63% 2%
Cost control reviews
37% 5% 44% 14%
More Less No change No impact at all
0 20 40 60 80 100
Q:How has your Internal Audit activities been impacted by
the recession/nancial crisis?
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
8/32
6 EY
In our study, 60% of participants saw strong risk management
as having a positive impact on their long-term earnings
performance.
Internal Audit functions face a challenge in balancing the need
for compliance programmes to be continuously strengthened
and improved in order to mitigate against the risk of fraud
and corruption against the backdrop of requirements for cost
cutting. Compliance departments are globally under increasing
pressure to deliver more effective programmes for less,resulting in a need for smarter use of limited resources in areas
where an organisation’s risks are greatest. To truly focus on
the risks that matter, create value and help the organisation
achieve its objectives, Internal Audit leaders need to focus
on aligning their own strategy to that of the overarching
organisational strategy. We have identied four key priorities
that leading Internal Audit functions need to action to enable
effective alignment with the organisation’s strategic objectives,
to increase its relevance to the business and to help the
organisation achieve a risk maturity that supports sustainable
and stronger nancial performance. These are to:
1) Align Internal Audit with the strategic goals of theorganisation.
2) Drive efciency through integration, talent management
and use of data analytics.
3) Maintain a balance between assurance and advisory
reviews.
4) Run Internal Audit like a business.
The remainder of this report discusses each of these areas
individually.
Strongly positive
Somewhat positive
No impact at all
Strongly negative
Somewhat negative
Don’t know
16%
44%19%
2%
19%
Q:What sort of impact has strong organisational
risk management had on your long-term earnings
performance?
Key learning:
To truly focus on the risks that matter, create value and help the organisation achieve its objectives, Internal Audit needs to
focus on aligning its own strategy to that of the overarching organisational strategy.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
9/32
7EY
The River Lee, Cork
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
10/32
8 EY
Align Internal Audit to theorganisation’s strategic goals
1
32 4
Leverage the organisationalstrategy
To create value and maximise relevance to the organisation,
Internal Audit leaders need to have sight and a solid
understanding of the organisation’s broader business
imperatives.
However, when we asked participants whether Internal Audithad a documented mandate that is aligned to the overarching
business strategy, 56% of participants in Ireland said no
compared to 61% in the global survey. Our study identied
organisations taking different approaches to how Internal
Audit operates. Some participants revealed that they align
closely to business strategy and have a closer operational
working relationship with their Audit Committee. Others, in
contrast, showed a preference for having an ‘arms length’
relationship with the business and prepared Internal Audit plans
independent of the business strategy. Indeed others we met, felt
that the objectives of Internal Audit and business functions were
incompatible as the overarching objective of the business was
viewed as prot-maximisation.
Experiences vary but one thing is clear: Internal Audit should
be guided by the organisation’s over arching strategy to guide
the process for identifying the risks that matter most. In order
to remain relevant, Internal Audit leaders need to align their
approach to risk assessments with the organisation’s strategic
objectives. Our participants commented that they are changing
their approach to reect this because more Audit Committees
are looking for greater alignment of the audit plan to business
strategy and the risks that really matter.
Many Internal Audit leaders new to their role embark on
a journey to transform their Internal Audit function. Their
approach can often be tactical in nature and not focused on a
long-term strategic plan for Internal Audit. Our study shows that
many do not have a higher level Internal Audit-specic strategic
plan that enables Internal Audit to align it’s objectives to the
organisation.
Yes, aligned with
the over arching
business strategy
No, separate
independent from the
overarching business
strategy
No, no explicit Internal
Audit mandate has
been articulated
49%
7%
44%
Q:
Does Internal Audit have an explicit and documented
mandate aligned to business?
Key learning:
Don’t gamble when it comes to addressing risk. Become more relevant by using the organisation’s business strategy to
identify the risks that matter most.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
11/32
9EY
Develop a well aligned InternalAudit strategy
An Internal Audit strategy should be guided by the business
strategy and developed on a rolling yearly basis. Internal Audit
leaders in Ireland revealed different views on the issue of
alignment with some looking to better align with the business
strategy, while others stated that they wish to maintain
independence and are less concerned with being aligned withthe business strategy.
Our view is that the Internal Audit function must be aware of
all enterprise risks regardless of whether they are providing
assurance for these risks.
An Internal Audit strategy should have a long-term (e.g., three
to ve years) timeframe and have a road map that is based on
the organisation’s overall strategy, stakeholder expectations
and regulatory requirements. A good strategy should
include clear goals and key performance indicators (KPIs)
relating to people (e.g., developing people and skills, hiring
new talent), process (e.g., improving audit techniques, dataanalytics, continuous controls monitoring) and new technology
requirements (e.g., procuring new Governance, Risk & Control
(GRC) tools and enablers to drive efciency).
Risk-based
approach
Rotational
approachNo
strategy
Strategically
aligned
‘Inefcient, unprioritised’
Captures process level risk
but unable to strategically
prioritise
‘Broken Internal Audit
business’
Issues identied by luck
rather than planning
‘Optimised Internal Audit
business’
Strategically aligned and
risk-based
‘Aligned but not objective’
Strategically aligned but
lacking independent risk
assessment
1
32 4
“On an annual basis, Internal Audit
does a three-to four-year strategy.
If we have just changed something
– our business ethics statements or
other major change to the business –
that will rise in priority.”
Survey respondent
Key learning:
Develop an Internal Audit-specic strategy that matches the organisation’s strategic plan time horizon to increase
organisational alignment and improve Internal Audit’s relevance to other operating functions.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
12/32
10 EY
Steps to create a comprehensivestrategy document and roadmap
Leading Internal Audit functions follow four steps to create a
well-aligned strategy:
1. Develop or rene Internal Audit’s strategic vision. Know
the function’s roles and responsibilities, the needs of
its key stakeholders, what its mandate is and what theInternal Audit function should accomplish over a long-
term period.
2. Identify and prioritise key strategic initiatives. Based on
the mandate and strategic vision, align initiatives to key
business risks and key operational and nancial priorities.
Make sure that processes, methodologies and tools are up
to date, that Internal Audit has the industry and functional
insights it needs, and that stafng models are exible
enough to anticipate change and address emerging risks/
issues.
1
32 4
Key learning:
Create a strategy document that details Internal Audit’s strategic vision, key initiatives, relevant KPIs and an implementation
plan that maps initiatives against a timeline, resources and competing priorities.
Developing a formal Internal Audit strategy document
Execute, track, adjust and communicate
Develop or rene
Internal Audit’s
strategic vision
Identify and
prioritise key
strategic initiatives
Design the
appropriate key
performanceindicators (KPIs)
Develop an
operating strategy
3. Design the appropriate key performance indicators (KPIs).
Determine how Internal Audit measures its success
against the prioritised initiatives, how it aligns withstakeholder expectations, and how to track productivity
and value-driven measures.
4. Develop an operating strategy. Detail activities that enable
Internal Audit to achieve its strategic initiatives. Determine
key milestones and how the function is communicating its
progress to key stakeholders. Also, put steps in place that
enable Internal Audit to adapt to changing priorities so
that it can maximise its relevance to the business.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
13/32
11EY
The Burren, Clare
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
14/32
12 EY
Internal Audit efciency is seen as key to deriving the best value from the limited resources available. Efciencies can be gained
through greater integration of Internal Audit with other risk functions throughout the organisation. Best practice is to avoid
duplication across risk management functions by being aware of all enterprise Governance, Risk and Compliance (GRC) activities
and through the sharing of data by the various assurance functions.
Drive Internal Audit efciency
Integration of Internal Audit andother risk functions
As an organisation changes and grows, its risk, control and
compliance activities often become fragmented, siloed,
and misaligned. This has an impact on both the governance
oversight and the business itself. Often, there are multiple
communications to management and the board that overlap
and cause confusion.
In addition to generating cost savings and reducing fatigue
on the business, reporting on risk through a coordinated lens
enables the board to gain a broader perspective into the health
of the organisation and its risk management strategy.
When asked, stakeholders indicated they are seeking
signicantly higher risk coordination in the future.
Participants showed a convincing desire for further integration
of their Internal Audit function in areas where there is already
a relatively high degree of integration, namely enterprise
risk management (ERM) and fraud and investigations. ERM
shows the highest level of ambition in this regard with 44%
of participants stating that Internal Audit was already highly
integrated with ERM and 77% were aspiring for the two to be
even more integrated.
70%30%
16%53%30%
16%40%44%
16%30%53%
58%33%9%
30%49%21%
35%37%28%
56%16%28%
79%12%9%
Corporate compliance
ERM
Fraud and investigations
Health and safety
Sustainability
Legal and regulatory
Ethics
Sox or equivalent
Other
0 20 40 60 80 100 0 20 40 60 80 100
Corporate compliance
ERM
Fraud and investigations
Health and safety
Sustainability
Legal and regulatory
Ethics
Sox or equivalent
Other
14%
40%
30%
53%
51%
42%
44%
26%
14%
9%
5%
33%
35%
16%
12%
33%
79%
77%
56%
70%
14%
14%
42%
44%
42%
7%
Highly integrated Somewhat integrated Not integrated
Q: Q:How integrated is Internal Audit with the following risk
functions in your organisation?
How integrated would you like them to be?
2
31 4
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
15/32
13EY
Enterprise Risk Management
Our view is that attitudes towards Enterprise Risk Management
(ERM) in Ireland are still maturing with only 60% of Irish
participants seeing strong risk management as having a
positive impact on their long-term earnings performance,
(compared to 75% of global participants). Other recent
research from EY has identied that organisations with more
mature risk management practices outperform their peers
nancially – see Turning risk into results*.We see room for improvement in how ERM is valued by Irish
participants. Only a quarter of these organisations believed the
impact to be strongly positive with the other three-quarters
vouching for a somewhat positive impact.
For larger organisations it is not recommended that Internal
Audit functions also administer ERM, however for practical
reasons this is something that small and medium sized
companies should consider doing to align skills and experience
that may be best leveraged from the Internal Audit function.
2
31 4
Key learning:
Coordinate among risk functions to improve risk coverage and drive valuable insights for the business. Use coordinated risk
reporting to give the audit committee a broader perspective into the health of the organisation.
The majority of large organisations have ERM as a standalone
function and process, acting as a second line of defence.
Internal Audit may set the framework and reporting lines
for ERM, however, they do not look after the running of the
function on a day-to-day basis. We are seeing a growing trend
towards alignment between Internal Audit and ERM to bring
greater convergence on managing the risks that really matter
to the business. ERM and Internal Audit functions are working
closer than ever before to develop smarter assurance maps
which demonstrate better alignment on risk coverage. By
working together these risk functions can help the company
avoid paying for costly duplication of risk management activity
and avoid being exposed to gaps in their Governance, Risk and
Compliance (GRC) functions. In striving to avoid duplication,
organisations are becoming increasingly aware of GRC tools
and enablers with data from all risk functions being shared
through a central common GRC platform to drive better
business value and reporting.
Recommended reading
*Turning risk into results
How leading companies use risk
management to fuel better performance.
- 2012
“When it comes to strategy
development and execution, it’s
important for risk to enable business
performance — not simply protect the
business.”
Survey respondent
http://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENT
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
16/32
14 EY
Fraud risk management
When asked how integrated Internal Audit was with fraud
and investigations, 53% of Irish participants said it was highly
integrated, however, 70% would aim for higher integration. Our
2013 EMEIA Fraud Survey reveals that executives and their
teams are under increased pressure to produce growth and
prot in challenging conditions. Unethical conduct - including
fraud, bribery and corruption- appears to persist in this
environment, and compliance programmes are not managingthe risk as effectively as possible.
Some of the key ndings show:
42%Of board directors and senior managers are aware of some
type of irregular nancial reporting in their organisation
....................................................................................
57%Of respondents feel that corrupt practices are widespread intheir country....................................................................................
49%Of sales staff do not consider their organisation’s anti-
corruption policy to be relevant to their work
Some common features that were observed amongst those
organisations who manage anti-bribery and anti-corruption
programmes most effectively include:
• Owning the problem and acknowledging the risk;
• Ensuring the risks are understood and shared throughout
the organisation;
• Developing a corporate culture where bribery and corruption
is unacceptable;
• Creating a tough compliance and monitoring programme.
Recommended reading
2013 EMEIA Fraud Survey - Navigating
today’s complex business risks
Europe, Middle East, India and Africa
Fraud Survey 2013
2
31 4
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
17/32
15EY
Enterprise-widecoverage
Active participationby the business unit
management
Linkage toorganisation strategy
and key initiatives
Active participationby executive
management
Input from other riskmanagement functions
Active participationby external audit
Formal facilitatedworkshop to validate
and prioritise key risks
0 20 40 60 80 100
79%
58%
72%
84%
53%
19%
33%
Q:Which of the following do you consider to be the key
elements of the Internal Audit risk assessment process?
Select your top three.
Conducting real-time risk assessments
Irish Internal Audit functions are focused on ‘active
participation by executive management’ and ‘enterprise wide
risk coverage’ which are cited by 84% and 79% of participants
respectively as a key element of the Internal Audit risk
assessment process. 72% of the Irish-based organisations also
see the linkage to organisation strategy and key initiatives as a
key priority.
Globally, we are seeing leading organisations incorporating
a quantitative component with data-driven analytics being
used to produce more focused stakeholder discussions and
workshops to validate and prioritise key risks.
2
31 4
Key learning:
An annual risk assessment may no longer be enough if Internal Audit wants to remain relevant to the business. Focus regular
risk assessments on enterprise-wide coverage, management participation and a direct link back to the company’s overall
strategy.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
18/32
16 EY
Employing innovation and dataanalytics throughout the auditcycle
While most participants recognise the benets of using
data analytics, the lack of suitably-skilled resources is a key
barrier to the adoption of these tools and methodologies.
A clear majority of Internal Audit functions say that they
use data analytics. In many cases however data analytics isused on an ad hoc basis, without the additional capabilities
of data warehousing, benchmarking or continuous controls
monitoring. Also, only a small percentage of resources within
Internal Audit have the necessary skills to use data analytics.
Internal Audit should consider developing a comprehensive
data analytics programme that can be embedded into the
entire audit life cycle. Using data analytics can produce more
focused risk assessments, more efcient execution, increased
risk coverage and more effective reporting.
Data analytics options available to augment traditional rules-
based tests include: model-based, statistical and text mininganalytics, as well as visual analytics.
Demonstrate Internal Audit value
Data analytics provides opportunities for broader audit
coverage than the traditional sample-based approach. Instead
of analysing a representative selection of data, the entire data
set can be accessed and analysed remotely, resulting in less
disruption to the business.
Through the use of data analytics, Internal Audit can generate
better business insights into processes that management
cannot readily get from existing reports – maybe due to
system limitations. For example, the ability to analyse the raw
transactional data from multiple dimensions and to perform
targeted analysis can identify inefciencies, errors and risk in
business processes.
Furthermore, the successful implementation of data analytics
by Internal Audit can act as the catalyst for introducing data
analysis techniques to the wider business. In our experience
the Internal Audit function can be seen as leaders by
demonstrating that these techniques work, which in turn
encourages management to consider using analytics for
detection controls (e.g. Continuous Controls Monitoring) and to
deliver more frequent insights on key business processes.
Finally, data analytics can enhance the presentation andfollow up of issues reported by Internal Audit. For example,
the ability to visually represent the nature and impact of the
issues detected can lead to a more meaningful discussion with
management and the audit committee.
2
31 4
• Repeatable process and controls
analytics across key business
cycles: FSCP, P2P, O2C, HR
• Identication of fraud risk
indicators prevalent in
transaction activity
• Forms the basis for a continuous
monitoring/auditing
Controls
Basic analytics focused
on controls • Leveraging analytics to monitorprocess performance across keybusiness cycles
• Benchmark process metrics
against business units or
external indicators
• Integrate analytics into the
annual risk assessment process
Insight
Business insight • Fully integrated continuousauditing for standard processes
• Potential to deliver more valueas more time for analysis and
interpretation
• Advanced analytics techniques
– optimisation, data mining,
statistical analysis
Value
Integrated and repeatable
A n a l y t i c s m a t u r i t y
Impact on organisation
Risk control EnablementPerformance Prediction
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
19/32
17EY
The greatest potential for data analytics
Key areas that can be identied for adoption of data analytics
include:
• Assessing the effectiveness of controls over a high volume oftransactions for example, sales data, customer data, nance
data, procurement data, HR data e.g., time, attendance and
expense data, etc.
• Proling and analysing data to help understand transaction
ows, user/customer behaviours and to identify outliers in
data associated with standard business cycles.
• Analytics to target sampling on high risk areas such as
activity in the General Ledger close to period end.
• Quantication of risk and impact when issues are detected
by looking for patterns across the entire dataset.
• Fraud endeavour detection.
• Quality assurance for operations and nance.
In order to successfully integrate data analytics in the Internal
Audit plan, it is important to plan early and start with the areas
where analytics could have the most impact.
Assessing skills and managingtalent
As the role of the Internal Auditor evolves and stakeholder
expectations rise, Internal Audit increasingly requires
competencies that exceed the more traditional technical skills.
In addition to Internal Audit knowledge, stakeholders expect
Internal Auditors to have the ability to team with managementand business units on relevant business issues. They also
expect Internal Audit resources to have deep sector knowledge
and business acumen.
It is important that Internal Audit understands the skills it has,
the skills it needs and where the gaps are in each competency
area. The following are two approaches Internal Audit can take
to attract the right capabilities:
Auditor rotation programme This programme provides opportunities for auditors to
rotate through other positions within other business units or
functions in other parts of the organisation.
Guest auditor programme This programme provides an opportunity for high-performing
employees from other parts of the business to gain Internal
Audit experience, providing the function with specialised skills
that may reside in other functions or business units.
Key learning:
Use analytics as part of a comprehensive programme
throughout the audit life cycle rather than on an ad hoc
basis. Embedding data analytics into the audit plan can help
Internal Audit guide the risk assessment, drive enterpriseefciencies, add tangible value to the business, and
facilitate more effective communication to Management
and the Audit Committee.
Recommended reading
Matching Internal Audit talent to
organisational needs
Key ndings from the Global Internal
Audit Survey -July 2013
2
31 4
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
20/32
18 EY
Maintain a balance betweenassurance and advisory
Recommended reading
Key considerations for your Internal
Audit plan
Enhancing the risk assessment andaddressing emerging risks - May 2013
Finding the right balance betweenassurance and advisory
Audit plans in Ireland are increasingly being rebalanced to
show a mix of advisory and assurance reviews, thematic
audits and issues based audits. 86% of the Irish participants
reported that advisory reviews made up some of their audit
plan. However, compared to the global ndings (where 59%
of participants reported that advisory reviews made up25% or more of the audit plan), advisory type reviews were
relatively unrepresented in Irish audit plans with 65% of the
Irish participants having advisory reviews accounting for only
5-25% of the audit plan. Finding the right balance is important.
Internal Audit should always safeguard compliance but also
needs to be a strategic adviser to the business. The balance is
not always easy to reach.
Conducting thematic audits
Thematic audits are not new to Internal Audit. But they are
making a resurgence as stakeholders increasingly work to
know the implications, magnitudes and insights that audit
ndings convey. Themes should be tailored to the sector,organisational structure, business life cycle and strategy.
Conducting issue based audits
Issue-based audits are another way for Internal Audit to add
value to the business by providing insights on strategic business
issues. These audits can be planned in advance, aligned to the
business strategy or ad hoc based on business requests or
unexpected events that occur throughout the year. These audits
can include a mix of advisory and assurance reviews. Internal
Audit would also be wise to build time into the audit plan for
potential ad hoc issues.
3
21 4
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
21/32
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
22/32
20 EY
Trends in execution
Trends in execution suggests that Internal Audit will continue
to focus on a mix of business and information technology
(IT) reviews, with an increased emphasis on strategic and
operational risks.
72% of Irish based organisations cite information technology
systems implementation as having central importance for
Internal Audit functions. In addition, Internal Audit in Irelandis playing a more prominent role in organisational issues, such
as:
• Major capital projects (53%)
• Material contracts (37%)
• Mergers, acquisitions and/or divestitures (33%)
• Major construction projects (30%)
Q:Which of the following does Internal Audit play a role in?
0 10 20 30 40 50 60 70
30%Major construction
projects
53%Major capital projects
72%IT systemsimplementations
23%New product roll-out
33%Mergers, acquisitions
and/or divestitures
37%Material contracts
12%New market entry
“The earlier Internal Auditgets involved during majorchange initiatives the greaterthe opportunity to inuence
better risk outcomes andadd value to the business.”
Survey respondent
3
21 4
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
23/32
21EY
The River Lagan, BelfastFanad Lighthouse, Donegal
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
24/32
22 EY
1 32
4
Run Internal Audit like abusiness
Internal Audit needs to operate like other facets of the business, holding itself accountable for operational excellence, cost
containment, continuous improvement and tracking its value and impact on the business.
To achieve this Internal Audit functions should:
• Design avalue charter and scorecard
• Establish an Internal Audit structure that ts
• Evaluate success and monitor KPIs
Vision statement Value charter• Strategic goals:
• People
• Highly engaged workforce
• World-class safety
• Performance product and process:
• Number one in quality
• Market leadership
• Market-leading availability
• Protable growth:
• Revenue
• EPS growth
• Critical success factors:
• People
• Quality• Product
• Velocity
• Distribution
• Emerging markets
Value attributes for IA
• Leadership development
• Subject-matter knowledge
• Training and certication
• Utilisation
• Audit relevance to risks that matter
most
• Efciency and effectiveness of audit
process
• Value impact on the business (process
improvement)
• Business relationships, insights and
advisory focus• Six Sigma-principled
• Risk coverage
Value scorecard measurements
• Staff placement/attraction to/from
business
• SMRs leveraged in the audit project(s)
• Training hours, CPEs and certications
attained
• Team headcount and utilisation
• High-risk areas addressed
• Issues monitored and closed (H/M/L)
• Recommendations made and implemented
• BU executive interactions and key initiative
inclusion
• Costs contained/recovered and revenueenhancements identied/implemented
• Emerging market insights and red ags
monitored and reported
Designing a value charter andscorecard
The value charter should include a vision statement and
commit Internal Audit to:
• Delivering consistent, seamless and high-quality service to
the organisation
• Being recognised as the catalyst for strengthening the
organisation’s control performance
• Serving as a catalyst for the enhanced efciency of the
organisation’s control environment
Developing a value charter enables Internal Audit to effectively
measure the value it delivers to the organisation.
In addition to the value charter, developing a value scorecard
is essential for measuring Internal Audit’s success. Traditional
KPIs have focused on Internal Audit’s level of effort (i.e.,
productivity), such as utilisation or completing the audit plan —
as cited by 86% of Irish study participants.
• Business unit cost savings realised
• Leading practices implemented
• Benchmarking and business insights Internal Audit brings to
the business
• Percentage of subject-matter resources that increase an
audit’s depth or value
However, more effective KPIs focus on the value Internal Audit is delivering to the organisation. Measurable value-drivers can
include:
Key learning:
Hold Internal audit to the same standard of continuous improvement to which operational functions are held.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
25/32
23EY
1 32
4
Establishing an Internal Auditstructure that ts
There is no ‘one-size-ts-all’ organisation structure for an
Internal Audit function. An organisation could be centralised,
decentralised or a hybrid hub.
The audit functions of Irish based organisations reect a high
degree of centralisation. Three quarters of the organisations(74%) had their Internal Audit function centralised in a single
location with only 2% of organisations opting to decentralise
by business unit. A hybrid model was the preference of just
under a quarter of the organisations. This makes for a notable
contrast with the international experience where centralisation
was the norm for 49% and hybrid models the preferred practice
for 16%. Decentralisation was the preferred practice for 35% of
the organisations.
Hybrid structure
Decentralised: by
business unit
Centralised: in one
location
2%74%
24%
Q:How is Internal Audit structured?
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
26/32
24 EY
1 32
4
When selecting an Internal Audit structure, Heads of Internal
Audit need to ensure that it aligns to the overarching
organisation structure. They also need to consider both the
benets and the risks of each structure before making a
decision:
• Centralised functions enable increased consistency
and control, and demand management, as well as a
comprehensive view of the overall organisation. However,
audit teams may not be close enough to operating units
or geographic locations to offer deep insights or strategic
value.
• Hybrid functions, which generally operate as regional hub
and spoke models, are often used by global organisations.
This structure tends to offer better access to language,
culture and local regulatory knowledge, while maintaining a
high level of consistency.
• Decentralised functions offer the highest level of operating
unit knowledge and responsiveness and can often play a
strong advisory role at a local level. However, decentralised
structures can inhibit global consistency and objectivity.
Under this model, local Internal Audit functions must have
strong reporting relationships to the Head of Internal Audit.Additionally, it is important for Internal Audit to make a
condent choice based on the culture and needs of the
organisation. Factors that may inuence decision making on
choosing the right t may include:
• The broader structure of the business
• The organisation’s risk prole
• Cost
• Independence requirements
• Geographic diversity
Key learning:
Make a condent choice on Internal Audit’s structure — centralised, decentralised or a hybrid — based on organisational
alignment, risk tolerance and the culture of the organisation.
Q:Do you out-source all or part of your Internal Audit
capabilities?
No, we don’t
outsource any of
our Internal Audit
capabilities
Yes, we outsource
all of it
Yes, we outsource
more than 75% of it
Yes, we outsource
50-75% of it
Yes, we outsource
25-49% of it
Yes, we outsource
less than 25% of it
11%
7%
2%
11%
41%
28%
In-sourcing versus out-sourcing
Irish organisations appear to be leaning towards out-sourcing
rather than building bigger Internal Audit teams. Internal Audit
in Ireland is currently heavily outsourced, with 72% of Irish
organisations out-sourcing to some extent – with 20% of this
group out-sourcing greater than 50% of their plan. There is a
particular tendency to out-source for certain skills in risk areas
such as technology or project audits. The lesson from this is
to ensure Internal Audit leaders have a clear view of the skillsrequired to deliver an effective audit plan – where skills are not
readily available out-sourcing is a viable option.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
27/32
25EY
74%
Signicance of ndingsand recommendations
86%Completed audits per
plan
47%Length of time for issueof audit report
58%Percentage of
recommendationsimplemented
33%Length of time to
resolve audit ndings
33%Budget compared to
actual hours per audit
26%Process improvementrecommendations
33%Business unit/auditeesatisfaction surveys
63%Audit committee
satisfaction
14%Revenue enhancement/savings/cost reductions
identied
28%Requests from the
business for a review/
audit/advice
14%Support of key businessinitiatives
0%Return on investment
of the Internal Audit
functions
7%Value of realisedrevenue and/or savings
37%Meetings/relationship
with customer/auditee
21%Internal Audit personnel
transfers into thebusiness
0 20 40 60 80 100
Q:What metrics do you include on a value scorecard to
measure Internal Audit effectiveness?
1 32
4
Evaluate successes and monitorKPIs dened on the valuescorecard
To help Internal Audit execute effectively and achieve the
objectives established in the Internal Audit strategy, the
function needs to be able to regularly track its performance.
Internal Audit aspires to be more relevant to the business butonly 14% of Irish participants cited support of key business
initiatives as a metric to measure Internal Audit’s effectiveness.
The Irish participants accorded relatively little emphasis on the
value of realised revenue or savings (7% of organisations). Irish
participants accorded high ranking in process-based measures,
for example, 86% cited completed audits per plan as a metric,
47% included the length of time for the issue of an audit report
and 33% cited length of time to resolve audit ndings.
These ndings are interesting against an environment
where 54% of organisations assess their internal function as
somewhat effective and 39%, very effective. It is important to
establish a value charter and scorecard to assess if and whereInternal Audit is qualitatively adding value. Irish organisations
need to track and monitor the success of their Internal Audit
function more and share their assessments with senior
management and the Board.
0 10 20 30 40 50 60
39%Very effective
54%Somewhat effective
2%Neither effective
nor ineffective
2%Somewhat
2%Very ineffective
Q:How would you rate your organisation’s Internal Audit
function today?
Senior management equally have a role to play in helping
Internal Audit be more relevant to the business. Our experience
at EY is that senior management and Boards need to get
better at giving feedback to the Internal Audit function on it’s
performance and value scorecard.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
28/32
26 EY
Internal Audit: Where do we gofrom here?
We set out to gain an understanding of the evolution of
Internal Audit in Ireland, and our research has highlighted the
predominant view that in order to deliver maximum value to
senior executives Internal Audit needs to be aligned to the
strategic goals of the organisation.
Four key priorities emerged to facilitate this alignment:
1) Align Internal Audit to the strategic goals of the
organisation.
2) Drive efciency through integration, talent management
and use of data analytics.
3) Maintain a balance between assurance and advisory
reviews.
4) Run Internal Audit like a business.
The question that must now be asked is, ‘where should Internal
Audit go from here?’ Irish organisations have shown a clearindication of the direction in which the Internal Audit function
needs to evolve. We are seeing new expectations of Internal
Audit emerge, including increased expectations to detect
and eliminate waste and fraud; identify inefciency and cost
competitiveness opportunities; as well as introduce and bolster
best practice in every operational area. The on-going economic
downturn has added to the momentum of the Internal Audit
role, rather than impeding it.
In summary, as some Irish Internal Audit leaders appear to be
keeping pace and are responding to the changes we are seeing
in Internal Audit, for others there is word of caution – invest
now in getting to know your stakeholders and what they expect
from you as a function and how they perceive value. In order
to demonstrate value Internal Audit leaders need to startmanaging the function like a business with proper reporting
on its performance and achievements. If Internal Audit
leaders in Ireland can do this then they will stay relevant to the
organisation – otherwise the business will leave them behind.
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
29/32
27EY
Key considerations for your Internal Audit plan
The Internal Audit risk assessment and the ongoing
refresh processes are critical to identifying
and ltering the activities that Internal Audit
can perform to provide measurable benet to
the organisation. This document is intended tofacilitate discussion as your organisation develops
and updates its Internal Audit activities for 2013.
Matching Internal Audit talent to organisational
needs
Internal Audit functions currently lack the specialist
skills and competencies their organisation needs.
Corporate leaders are demanding that Internal
Audit improves visibility and provides strategic
insights that can deliver lasting value for the
organisation and enable leadership to anticipate
traditional and emerging risks.
Internal Audit’s role during the strategic
transactions life cycle
Mergers and acquisitions (M&A) and divestitures
remain some of the most risk-heavy initiatives
that any organisation can undertake. This report
details the key areas where Internal Audit (IA) can
play a crucial role in an organisation’s strategic
transactions life cycle.
Turning risk into results: how leading companies
use risk management to fuel better performance
Companies with more mature risk management
practices outperform their peers nancially. Findout how leading companies are turning risk into
results.
Internal Audit: Think Tank series
Over the past ve years, EY has facilitated a very successful
Internal Audit Think Tank network in Ireland. Over 50 Heads of
Internal Audit participate in this network.
This network offers you the opportunity to explore currentbusiness and market issues through the lens of the unique
challenges you face in your role. The aim of this network is to
bring peers together to exchange ideas, share best practice
and network in a condential environment.
Your views in shaping this network are really important and
the topics are selected based on your feedback and upcoming
regulatory changes. Throughout 2014 we will continue to bring
you a mix of external speakers as well as EY experts. Chatham
House Rule will apply and further details will be sent closer to
each meeting.
We will also provide you with regular thought leadership tohelp you carry out your role effectively and add value to your
organisation.
We hope you nd this publication useful and informative and
if you have any queries, please do not hesitate to contact us
directly.
Contacts
Liam McCaul
Head of Advisory
[email protected]+353 1 221 2235
Colm Devine
Partner, Advisory | Risk
[email protected]+44 28 9044 3560
Cormac Murphy
Partner, Financial Services | Risk
[email protected]+353 1 221 2750
Want to learn more?
Access this report online at
ey.com/ie/InternalAudit
EY Insights
The EY Insights app gives you access to
in-depth reports, surveys and thought-
provoking analyses on these issues,covering every major industry sector
across the world. Stay informed and
connected with EY Insights.
Download the app to your smartphone, ey.com/EYInsightsi
http://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENThttp://docs.iweb.ey.com/GLOBAL//CKR//NEMIABASCKR.NSF/($VERITY)/DEC11E232EB77FEEC12579A50057CB8C?OPENDOCUMENT
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
30/32
28 EY
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
31/32
29EY
Giant’s Causeway, Antrim
-
8/15/2019 EY Staying Relevant the Evolving Role of Internal Audit in Ireland
32/32
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build
trust and condence in the capital markets and in economies
the world over. We develop outstanding leaders who team to
deliver on our promises to all of our stakeholders. In so doing,
we play a critical role in building a better working world for our
people, for our clients and for our communities.
EY refers to the global organisation and may refer to one or
more of the member rms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide
services to clients. For more information about our organisation,
please visit ey.com.
© 2013 Ernst & Young. Published in Ireland. All Rights
Reserved.
2543.indd 12/13. Artwork by the BSC (Ireland)
ED None
The Irish rm Ernst & Young is a member practice of
Ernst & Young Global Limited. It is authorised by the Instituteof Chartered Accountants in Ireland to carry on investment
business in the Republic of Ireland.
Ernst & Young, Harcourt Centre, Harcourt Street, Dublin 2,
Ireland.
Information in this publication is intended to provide only a
general outline of the subjects covered. It should neither be
regarded as comprehensive nor sufcient for making decisions,
nor should it be used in place of professional advice. Ernst &
Young accepts no responsibility for any loss arising from any
action taken or not taken by anyone using this material.
ey.com